SAP Security Notes – September 2023 - Safe O'Clock

SAP Security Notes – September 2023

September 13, 2023

On the 12th of September 2023, SAP Security Patch Day saw the release of 13 new Security Notes.

There were 5 updates to previously released Security Notes.

 

Notes by severity

 

HotNews 5
Correction with high priority 2
Correction with medium priority 9
Correction with low priority 2

Highlights


On September Patch Day SAP presents 7 high-severity Notes, 5 of them are HotNews and 2 are rated as a correction with high priority.

We will start our digest for today with the usual Google Chromium browser Security update – Note 2622660Security updates for the browser control Google Chromium delivered with SAP Business Client – with CVSS Score of 10. This note has been re-released with updated ‘Solution’ and ‘Support Packages & Patches’ information.

BusinessObjects Business Intelligence Platform receives two critical security improvements:
The first is Note 3320355 Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Promotion Management) – with a CVSS Score of 9.9.
Under certain conditions, SAP BusinessObjects Business Intelligence Platform (Promotion Management) allows an authenticated attacker to read sensitive information that would otherwise be restricted. With successful exploitation, the attacker can entirely compromise the application, significantly impacting confidentiality, integrity, and availability.
The second is Note 3370490 Insufficient File type validation in SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface) – with a CVSS Score of 8.7.
SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface) allows a report creator to transfer files from the local system into the report across the network due to insufficient file type validation. When uploading an image file, an authenticated attacker might intercept the request, change the content type and extension, and access and modify sensitive data, putting the application’s security and integrity at risk.
There is a 3245526 Note update also – Code Injection vulnerability in SAP Business Objects Business Intelligence Platform (CMC) – with a CVSS Score of 9.9.
In some cases, SAP Business Objects Business Intelligence Platform (CMC) Program Object execution might result in a code injection vulnerability, allowing an attacker to get access to resources that are only accessible with additional privileges. A successful attack could have a significant impact on the system’s confidentiality, integrity, and availability.
This note has been re-released with updated ‘Support Packages & Patches’ information with updated patch levels.

At first glance, SAP NetWeaver AS Java Note receives highly-prioritised update as well. However, no additional actions from your side are required due to this security note was taken back inadvertently.
Note 3273480 Improper access control in SAP NetWeaver AS Java (User Defined Search) – with a CVSS Score of 9.9. This security note was taken back inadvertently and has been re-released without any changes. No additional customer action is required.

And for the last, SAP CommonCryptoLib get two important security corrections:
Note 3340576Missing Authorization check in SAP CommonCryptoLib – with a CVSS Score of 9.8.
SAP CommonCryptoLib fails to conduct required authentication checks, which may result in missing or incorrect permission checks for an authenticated user, resulting in privilege escalation. Depending on the program and the amount of access obtained, an attacker could read, edit, or delete restricted data as well as exploit capabilities restricted to a certain user group.
Note 3327896Memory Corruption vulnerability in SAP CommonCryptoLib – with a CVSS Score of 7.5.
An unauthenticated attacker can utilize SAP CommonCryptoLib to design a request that, when submitted to an open port, causes a memory corruption issue in a library, causing the target component to crash and become unavailable. There is no way to access or change any information.
We highly recommend you to pay special attention to them, as If these corrections for SAP CommonCryptoLib affect a decent amount of areas, such as ABAP, HANA systems and more if in use. If these vulnerabilities will be exploited, the systems confidentiality will most likely be compromised.

 

Summary

SAP Component Number Description Priority CVSS CVSS Vector
BC-FES-BUS-DSK 2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client HotNews 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
BI-BIP-LCM 3320355 [CVE-2023-40622] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Promotion Management) HotNews 9.9 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
BC-XI-CON-UDS 3273480 [CVE-2022-41272] Improper access control in SAP NetWeaver AS Java (User Defined Search) HotNews 9.9 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
BI-BIP-CMC 3245526 [CVE-2023-25616] Code Injection vulnerability in SAP Business Objects Business Intelligence Platform (CMC) HotNews 9.9 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
BC-IAM-SSO-CCL 3340576 [CVE-2023-40309] Missing Authorization check in SAP CommonCryptoLib HotNews 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
BI-RA-WBI-FE 3370490 [CVE-2023-42472] Insufficient File type validation in SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface) high 8.7 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
BC-IAM-SSO-CCL 3327896 [CVE-2023-40308] Memory Corruption vulnerability in SAP CommonCryptoLib high 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
BC-SYB-PD 3357163 [CVE-2023-40621] Code Injection vulnerability in SAP PowerDesigner Client medium 6.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
BI-BIP-INS 3317702 [CVE-2023-40623] Arbitrary File Delete via Directory Junction in SAP BusinessObjects Suite(installer) medium 6.2 CVSS:3.0/AV:A/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:H
MM-FIO-PUR-REQ-SSP 3156972 [CVE-2023-40306] URL Redirection vulnerability in SAP S/4HANA (Manage Catalog Items and Cross-Catalog search) medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CA-UI5-COR 3149794 Cross-Site Scripting (XSS) vulnerabilities in jQuery-UI library bundled with SAPUI5 medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
FS-QUO 3349805 Denial of service (DOS) vulnerability due to the usage of vulnerable version of Commons FileUpload in SAP Quotation Management Insurance (FS-QUO) medium 5.7 CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
BC-WD-UR 3323163 [CVE-2023-40624] Code Injection vulnerability in SAP NetWeaver AS ABAP (applications based on Unified Rendering) medium 5.5 CVSS:/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
MM-FIO-PUR-SQ-CON 3326361 [CVE-2023-40625] Missing Authorization check in Manage Purchase Contracts App medium 5.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
BI-BIP-LCM 3352453 [CVE-2023-37489] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Version Management System) medium 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
BC-GP 3348142 [CVE-2023-41367] Missing Authentication check in SAP NetWeaver (Guided Procedures) medium 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
FI-FIO-AP 3369680 [CVE-2023-41369] External Entity Loop vulnerability in SAP S/4HANA (Create Single Payment application) low 3.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L
FI-FIO-AP-CHK 3355675 [CVE-2023-41368] Insecure Direct Object Reference (IDOR) vulnerability in SAP S/4HANA (Manage checkbook apps) low 2.7 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
You Might Be Interested In

The latest news in the
sphere of SAP security

SAP Security Notes – May 2024

On the 14th of May 2024, SAP Security Patch Day saw the release of 14 new Security Notes. There were […]

Read more
SAP Security Notes – April 2024

On the 9th of April 2024, SAP Security Patch Day saw the release of 10 new Security Notes. There were […]

Read more
SAP News Overview for March 2024

SAP and NVIDIA partnership Another SAP partnership has benefited from the use of artificial intelligence. SAP SE and NVIDIA announced […]

Read more
SAP Security Notes – March 2024

On the 13th of February 2024, SAP Security Patch Day saw the release of 10 new Security Notes. There were […]

Read more

Subscribe today to get more insights,
updates, and industry trends

Delivered to your inbox weekly.
No spam. We respect your privacy

    This website use cookies. Learn more
    OK